unbound replaces CNAME query with A query?

Petr Menšík pemensik at redhat.com
Fri Mar 31 11:01:28 UTC 2023 

I am using dnssec-trigger-0.17-7.fc36.x86_64 and 
unbound-1.17.1-1.fc36.x86_64 on Fedora 36. But I cannot reproduce the 
behaviour, even if I flush cache by "unbound-control flush_zone ." It is 
returning consistently CNAME with NOERROR. Does it happen only when the 
unbound does not have forwarders and is iterating itself? I keep getting 
CNAME with NOERROR.

$ kdig cnametest.bleve.fi. CNAME
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33690
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; cnametest.bleve.fi.         IN    CNAME

;; ANSWER SECTION:
cnametest.bleve.fi.     7200    IN    CNAME    nxdomain.foobar.fi.

;; Received 66 B
;; Time 2023-03-31 12:58:20 CEST
;; From 127.0.0.1 at 53(UDP) in 0.5 ms

Does it happen only after unbound is fresh started? Are there steps to 
reproduce on the running instance?

On 3/31/23 10:17, Tuomo Soini via Unbound-users wrote:
> On Thu, 30 Mar 2023 23:28:37 +0200
> Christoph via Unbound-users <unbound-users at lists.nlnetlabs.nl> wrote:
>
>> Hi Petr,
>>
>> thanks for your reply and your questions.
>>
>> Petr Menšík via Unbound-users:
>>> Correct me if I understand it not correctly. whether you query CNAME
>>> or A record should not make a difference in NXDOMAIN status. But in
>>> any case the answer is not there. How does it change ACME process
>>> when there is NXDOMAIN and not just no-answer NOERROR response?
> There really seem to be issue in unbound when querying cname.
>
> I created test record, pointing at another domain, non-exiting name.
>
> kdig cnametest.bleve.fi. CNAME
>
> ;; ->>HEADER<<- opcode: QUERY; status: NXDOMAIN; id: 46683
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 0; AUTHORITY: 1; ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;; cnametest.bleve.fi. 		IN	CNAME
>
> ;; AUTHORITY SECTION:
> bleve.fi.           	3462	IN	SOA
> foo-ns.foobar.fi. hostmaster.foobar.fi. 1679142493 28800 7200 864000
> 28800
>
> ;; Received 97 B
> ;; Time 2023-03-31 11:13:51 EEST
> ;; From 2001:998:2e::1 at 53(UDP) in 0.8 ms
>
>
> If I query from authoritative server directly, I get correct answer.
>
> It looks like unbound errorously try to follow cname to non-existing
> record even when cname itself is queried. CNAME should only be followed
> if something != cname is queried.
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list